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1. Introduction and overview 


1.1 Scope and Goals of this recommendation 

Ihis recommendation was prepared by die Digital Transmission Discussion Group (DTDG) for 
mtouwon to its parent organization known as the Copy Protection Technical Working Group 

|V»r 1 CTVjJa 




^ 5 subgroups of which the DTDG is one, is an ad hoc group made up of industry 
^company representatives interested in the issue of protecting the rights of copyright holders when 
tnor data is distributed to consumers in digital form. The DTDG was authorized by the CPTWG at the 
end of 1996 with the expressed purpose of defining a Data Protection System (DPS) capable of 
preventing the unauthorized use of copyrighted material by ordinary consumers in ways which involve 
me transmission of that material in digital form over interfaces compliant with the IEEE 1394-1995 
High Performance Serial Bus standard, commercially available derivatives of that interface standard 
and commercially viable applications utilizing that interface standard. 


t he DTDG was created to define a means of "keeping honest people honest" when 
such people operate consume r elect ronics devices, including personal computers, which transfer 
copyrighted material over the IEEE 1 394 interface using an isochronous channel Devices compliant 
with the DPS, at such times as they transmit data or receive data using the DPS via an isochronous 

^haviMl m Tirm7 1)0 A * — p 11 a • * » i v 


^ / — mrm w vmi «ai lOWIU vl IVIUO 

charmel on the lEh E 1394 interface, shall behave in a manner which prevents the unauthorized cop yin g 

or the copyrighted material by the average consumer. 


1.2 Overview of process 

The CPTWG authorized the creation of die DTDG and assigned a chairman at die normal CPTWG 
meeting which was held on October 3, 1996. Thereafter, the timeline of DTDG activity proceeded 
approximately as outlined below. Please note that this chronology of events was recreated after die 
fact and may not therefore be complete or accurate. 
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October 3, 1996 CPIWG authorized the creation of the DIEG and' 

led a 

JDctober 25, 1996 First msetiacr of tha DIDG 

Dscenber 17, 1997 Second roaetiixr of the PTC 

January 31, 1997 Third meeting of the DIDG - began drafting offical 

Gall Bor Proposals; CFP discussions ennHnno over 

email in the subsequent weeks 

March 4, 1997 Fourth meeting of the DIDG - detailed review of 


March 11, 1996 
April 25, 1997 


CFP officially ty* 1 leased from the DIDG 

Deadline of CFP - received 11 proposals; p r ^-H ^ ic 
were distributed to interested parties Arri n g 
it weeks 

J^ne 3, 4, 5, 1997 | Fifth meeting of DIDG to discuss proposals; T 

propos als officially turned over to the Data Hiding 
&b Group (EHSG) of the CFTWG; Detailed 
presentations of regaining proposals by their 

propos e r s 

JUly 9, 10, 1997 I Sixth meeting of DHjG: Fiirthpr pf 

proposals; Began developing a formal request far 
supplemental evaluation data to be distributed to 
renaiir>TYT 




JUly 24, 1397 | Official release of Request for Suppleneital 

Eval u a t io n Data, issued ry the DIDG and to 

August 19, 20, 1997 j Seve^^reetiriq^^ETO to review 

i^oo atioD fean proposer; T1 officially withdraws 


Scptenber 18, 19, 1997 | Eighth meeting of DIDG; Further review of 

stpplenental information and detailed review of 
tabular representation of this infnnn^H™- 

and Intel officially conbine t-l*»tr proposals into a 
single * 


October 30, 1997 


Ninth meeting of DUE; Review draft of 
r eccmn m daticn 


The CaU For Proposal* (CFP) which was developed by the DTDG and formally issi 
1997 is contained in Appendix B of this document The CFP requests proposals for 
following 3 layers: r r 


the 




1) Copy Control Information (CO) Layer - a means of carrying information along with the 
copyrighted content that expresses the intentions of the copyright holder with regard to the 
conditions under which an end consumer is authorized to nuke a copy 

2) Authentication Layer - a means for compliant devices to establish the authenticity of another 
device prior to exchanging copyrighted data 

3) Encryption Layer - a means of encrypting or scrambling the copyrighted information when it is 
transmitted between devices in digital form 

The DTDG received 11 proposals to the CFP from the following organizations (in alphabetical order): 


1) Hitachi 


2) IBM 
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3) Intel 

4) Matsushita 

5) NEC 

6) NDS 

7) Philips 


8) PictureTel 

9) Sony 

10) Texas Instruments 

11) Toshiba 


Smee the tune that the DTDG received proposals from these companies on April 25, 1997, some 
proposers have withdrawn their proposal while others have combined their proposal with those of 
other proposers. The table below lists the proposals which were active at die Hm> that this 
recommendation was being prepared (in alphabetical order by company): 


Hitachi/ 
Matsushita/ 


Intel/ 




OCTC layer: Ctnhinatian of Sony and Matsushita (XI 


layer: Say key management and 
authentication method with of 

diallenge/response and MET «»n-ip«-ir 
public key for authentication within a PC 
and in other defined areas 
on layer; Hitachi MS plus Matsushita rmr 
OCX layer: unchanged £rcm original T nfl proposal 
Authentication layer: Intel proposal with HmHtK* 


Encryption: ttKhanoed from nrimrvn Tnt-oi prrrvm.1 


Onchacoed frtm orig inal pny nsal 


As onginallv proposed with brermrifnl 


1.3 Relationship to Other Standards Activities 

^ re< l u * res th** the DPS protect data when it is transmitted via an L«vhmnnn« rh»nn»t 

<m an IEEE 1394 serial bus interface. This is a minimum requirement of the DTDG DPS, however, it is 
also acceptable if die DPS can protect data when it is transmitted in digital form over other media. 

Give n this minimum requirement, the work of die DTDG has been of some interest to various standards 
groups working in related areas. In some cases, other standards setting bodies have r efe renced the 
DTDG activity, or have implemented changes which anticipate the ultimate resolution of die copy 

protection issue and the establishment of a DPS in the CE and PC industries. 

The following sections describe related industry standards and other activities which recognize die 
work of the DTDG and which may be affected by the establishment of an industry wide DPS. 


1.3.1 IEEE P1394a 


Th e IEEEP1394a committee is engaged in an officially sanctioned IETF standards activity. The scope 
of the IEEE PI 394a activity includes technical development of compatible extensions and/or 
clarifications and interpretations of the existing IEEE 1394-1995 standard. 

During the course of the DTDG activ ity, the IEEE P1394a committee has been periodically briefed on 
the progress of the DTDG. The IEEE PI 394a committee has considered additions to their subject 
standard to accommodate agreements reached in the DTDG on the CQ layer, but finally decided not 
to make any changes. 
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1.3.2 Open Host Controller Interface (OHCI) 



The OHQ group is an ad hoc working group which is working to define an industry standard register 
level interface for interfaces between PCs and 1394. 


Some members of the OHQ group have participated in discussions at the normal DTDG meetings. At 
this time/ the OHQ group has decided to include in their specification a mechanism by which an OHCI 

will recognize the exposed CQ bits and take appropriate action based 


1.3.3 IEC 61883-FDIS 


This draft international standard defines a means of controlling consumer devices using IEEE1394 
defined asynchronous transactions, and it defines a variety of digital data formats for use in 
transmitting digital audio and digital video data over an isochronous channel on the 1394 interface. 


Some of the DTDG proposals for the encryption layer specify how the proposed encryption method 
interacts with the IEC61883 defined digital data formats. Due to the widespread market acceptance of 
the IEC61883 standard/ it is likely that any DPS which operates on 1394 wul have to explicitly 
accommodate the mechanisms defined in that standard. 


1.4 Legal disclaimer 

The purpose of this report is to provi de a ne utral technical input regarding to DPS to the Copy 
Protection Technical Working Group (CFTWG), and thereafter to the plenary group consisting of the 
member companies of the MPAA, CEMA, ITI and BSA which considers possible legislative 
recommendation to the Congress in relation with technological measures that restrict unauthorized acts 
in respect of copyright works. This report is provided without prejudice to the outcome of further 
dis cu s si ons regarding associated rum-technical considerations. This report does not constitute any 
warran ty wh atsoever/ an offer of license to any pr o priet a ry rights or a commitment to implementation 
tythe DTDG o r any individual or company participating five DTDG as to any of the submitted 
proposals. The DTL)G or any individual or company participating the DTDd shall, in no 
circumstance, have any obligation based on this report, or on any proposal attached hereto. 

Developers are warned that no final decision has been made with regard to a DPS, and that any 
product implementation based on this recommendation or the accompanying proposals is purely 
speculative. 

Readers are advised that the editors of this document are employed by Intel and Sony, who are also 
preparing submissions described herein. 


1.5 Outline of Report 

Section one of this report describes the scope of the DTDG discussions, the process which the DTDG 
has followed to date, die relationship between the work of the DTDG and other standards activities 
and the legal disclaimer. 


Section two of this report gives an overview of cryptographic issues related to the DTDG work. This 
section is intended as a tutorial for readers not familiar with these concepts. 

Section three provides an overview of the standing proposals. These overviews are limited to 200 
words or less and were reviewed by die proposers. 



Section four contains a set of tables which contain quantitative and other information about each of the 
standing proposals. This information was provided by each proposer in response to die request for 
supplemental evaluation data issued by die DTDG on July 24, 1997. 
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Section five documents the findings of the DTDG to date. 


2. Technical Tutorial on Digital Transmission Content Protection 

The DTDG Cali for Proposals defined three layers which were intended to be used separately or in 
conmination to protect the exchange of content across digital transmission mechanisms such as the 
IEEE 1394 serial bus. These lavers are Cnnv frmtml TnfnrmiHnn «. 


and describe the proposed solutions. 


doped to organize 


Digital Transmission Content Protection 

. °*** ^ 
x: Authentication 


Copy Control 
Information 


Content 


and Key Exchange 


Encryption 


Embedded Exposed Control Shared Public Stream Block 

Channel Secret Key Cipher Cipher 

2.1 Copy Control Information (CCD te * rC ~ a ' 

The CQ layer provides a mechanism forexchanging the protection status of content being handled 
between devices. For example, video content may require the exchange of the CGMS, APS, and digital 
source bitsr. The Cd must be exchanged In a robust manner to prevent its alteration. Should the CQ 
be alterable, a circumvention device could mislead a compliant device into believe that content 
originally marked no copy" can be "copied once." Three different methods for exchanging CQ have 
been identified by the proposals submitted. 

2.1.1 Embedded CQ ^crnAe/V / 

A ranee of techniques have been identified for exchanging CQ in a manner which is tightly coupled 
with the content. For instance, CQ is embedded in the transport mechanism for a particular content 
format, e.g. the MPEG transport stream. Additionally, techniques such as watermarking can be used to 


1 Originally, the CFP identified this layer as just Device Authentication leaving Key Exchange as a function 
not specifically associated with any particular layer. Since all proposals have chosen to address key exchange 

as part of the Device Authentication protocol, the definition of this Layer will be expanded to include Key 
Exchange. 

2 For further information on the definition and function of these bits see Appendix A of the CFP. 
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^directly “ to rontent itself 9 . In both of these cases, the integrity of the Embedded 

-Q is ensured by the same method used to prevent the copying of the contort itself (See Sectioj^). 


• 2.1.2 Exposed C Cl C c / . 

pie ex p°sedCQ mechanism transports the CCI in manner such that it is available ("exposed”) to 

^toughtSTcaC^toeasy 

S^t2^ *^ a } ,Ie )° tot its integrity u maintained. A non format^riwntWf- 

exam P^ ? f such * d 7 lce . Content format independence is accomplished by 

of *J X5Se<1 locabon sucb as m the 1394 packet header. When bits within theheade 

iv^^tl SI fS»t nSmi f 10n sy5 1 ^ Hn ar f. used '° carT y CO. typically only a subset of theWhGG 
may be earned as there are only a small number of bib which can be assigned to this purpose. 


Exposed CQ has been proposed as a means to ensure that format-cognizant devices do not make 

° f CO £y,P™ t !^! d data - ®y comparing the information in foe exposed CQ with 
the information in the embedded CCI, a format cognizant device can differentiate between an 
authorized use of a bit stream and an unauthorized copy of a bit stream. 

2.1,3 Control Channel oot' F3f*r*0> 

*** be ®' identi i* d fa y to proposals is via a control channel. 

I nis channel must be protected from tampering to ensure the integrity of the CQ by hashing 

Con . tr ° 1 to^ek are capable exchanging large amounts of CO; however. 

SS££S Sa S^SSr"' ***•■■ v**™**” i»i provide. 

y f*iC*S*$ M t 

2.2 Device Authentication and Key Exchange (AKE) &<<**■ *•> ****m,l -rt ^du-r/cih 

„ -rievJ^u* 

The AKEIayer defines cryptographic protocols which are used by devices to^toSfo^^th^Mtv A V^J> ' 

Which C0ntent ^ ** excha nge. It b critical for a source* 
device to wrify foe identity of destination devices to prevent foe content from being sent to a 

arcummition device. In addition, foe key exchange portion of the protocol provides a way to generate 

a shared key between two devices which can be use used to exchange content session keys. 


Tire AI® process is based on a device's knowledge of a secret or secrets provided by a license 
authontyand its ability to prove that it knows the secret without revealing it. A standard approach to 
proving knowledge of a secret is for the device initiating foe authentication to send a random number to 

foe device bring authenticated. This random number is typically referred to as a random challenge. 

Tire de vice being authenticated modifies tire random challenge in a manner determined by foe device's 
secretand returns the modified value to the originator of the challenge. The originator ran dreeffoe 
returned valire to verify that the device being authenticated has access to the secret If foe value is 
correct, then the authentication has been successfully completed. The confidential owhanee of 
ayptographic key can also be added to this basic challenge response protocol. Many variation on this 
basic protocol have been proposed. These variations are based on one of two fundame ntall y different 
cryptographic approaches which will be described in the following sections. 

2.2.1 Shared Secret £<««.( «-< *•«,,***<*/ j?^to/cC/ ^ ^ 

Jie shared seoet approach relies on a com^! 

ted^Iogy. The secrets may be values or cryptographic functions which are generated and distributed 
by the license authority to device manufactures. When the secret is a value, it is used with a symmetric 
apher to modify the random challenge issued during authentication. Secret functions are tvoirallv 


«nd othe related techniques to content protection are being evaluated by 
tne CPTWG s Data Hiding Sub Group. Contact the tri-chaus of this sub group for additional u rion r*^ 7 

1 1/10/97 DTDG Review and Findings of Submitted Proposal* p a g e u 


° UT ci2I COUNSEL’S 
EYES ONLY" 


if 

ill 

l!! 

fl£ 


S 00033 


I 


.4 \ 


■i 


• • 



directly applied to the random challenge. When all compliant devices must contain the common secret 
to inter operate, it is considered a global shared secret 


2.2*2 Public Key 

f * 

A second appro ach Is to b ase the AKE protocol on public key cryptographic techniques. Public key 
c^ography differs from symmetric l«:y cryptography for AKE in that each device can have an unique 
seoet(thedevice s pnvate Key) provided by the license authority yet still inter opewte rvifh othfr 
dewetThe pnvate key and a digital certificate signed by the license authority areuaed during die 
aumenbcabon process to prove the authenticity of the device. In addition, public key cryptography 

2.3 Content Encryption A tub***/ 

//*■ /d </A/& . 

To prevent the generation of usable copies of protected content, the content can be encrypted and 
decrypted at the end points of die digital transmission system. Content which is encrypted should be 
unusable by d evice w hich do not have the necessary keys to decrypt die content. In manydigital 
transmwion systems, such as the IEEE 1394 serial bus, all interconnected devices can recdveany 

U P less f ontent , ®«ypted. non-compliant devices could make a copy. 
While public key cryptography could be used to protect the <gptmMorfig[3nnaiKg reasons, all 

key dphers - * **** **> 

2.3.1 Stream Cipher 7 ^ m 

Sdj^m ciphers apply a sequence of keys to transform individual data characters (eg. typically bits or 


2.3.2 Block Cipher 

Block dphers apply a fixed (key dependent) transformation to blocks of data. 


3. Overview of Proposals 

EaA of the proposals submitted to the DTDG addresses all three of the layers described in the CFP. 

*“7 b*® The proposal proponents agreed 

at the lune Sdt DTDG meeting that each of the three layers in their respecti v e solution ran K» Inpiraik , 


de-coupled from each other. 


3.1 Hitachi/Matsushita/Sony 

The Hitachi/MEI/Sony proposal covers all three layers of the DPS requested by the DTDG CFP. 

3.1.1 CCI 


Embedded CCI is mapped into an Encryption Mode Indicator (EMI) which indicates the encryption 
modes applied to the contents. EMI allows easy access to the CCI for all compliant devices and 
restnds their behavior for copy protected contents. Circumvention by changing the EMI bits will cause 
the decryption to fail, thus ensuring five integrity of the EML 


3.1.2 Authentication 


Die combination of the Asymmetric and Public Key AKE and the Authentication Manager addresses 
the differences in PC and CE environments. 
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The asymmetric key AKE, which is manda tory between CE devices, utilizes the M6 block dpher and 
the asymmetric key distribution based on a pair of Service and License Key for each service the device 


supports. In this proposal, each sink c 
flp worldwide-unique Node JJnique JD, 
service keys for each service wnich the 


each sink device has a unique license Key, generated using in 

defined in the IEEE1394-1995. Source devices hold the shared 


the device supports. 


The Public Key AKE is based on elliptic curve cryptographic technique which is mandatory between PC 
applications, while optional for use between 1394 devices. 


3.1.3 Content Encryption 

The M6 block cipher combined with METs converted-CBC is used. 


3.2 Intel/Toshiba 


The Intel/Toshiba proposal covers all three layers of the DPS requested by the DTDG CFP. 

3.2.1 CCI 


CQ is exchanged between devices via both embedded and control channel mechanisms. To ensure the 
integrity of CQ traversing the control channel, encryption, hashing, and sequence numbering techniques 
areused. This proposal is compatible with exposed CCI techniques which can ensure integrity, 
although no specific solution is specified. 

3.2.2 Authentication and Key Exchange 

A two phase mutual AKE process is proposed. The first phase of AKE (Preliminary Authentication) 
uses a shared secret technique based on the modified Blowfish dpher and the SHA-1 hash function. 
0Kb Following the successful completion of the first phase, content exchange is enabled and the second 
phase (Full Authentication) of the AKE process is initiated. The second phase uses established Public 
Key cryptographic techniques inducting the Digital Signature Standard and Diffie-Hellman Key 

Exchange based on an Elliptic Curve Cryptosystem. Certificate revocation is provided as an optional 
capability. 


3.2.3 Content Encryption 

This proposal can support multiple content dphers. The specific dpher to be used for a given exchange 
of content is selected during AKE. A modified version of five Blowfish block dpher is recommended as 
one of the dphers supported. 

3.3 NDS 

The NDS proposal covers all three layers of the DPS requested by the DTDG CFP. This proposal has 
a broader scope than just digital transmission content protection as it supports an encrypt-once feature 
which does not require an encryption function in the CE/IT devices. However, local link 
encryption/decryption is also supported. 

3.3.1 CCI 


A CopyRight String (CBS), containing CQ and, if desired, other copyright information, is used in 
content decryption to ensure its integrity. 
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3.3.2 Authentication and Key Exchange 

T feAXE is based on public key techniques: zero-knowledge Fiat-Shamir Authentication; RSA is 
suggested for exchanging session keys between the authorized devices. The authentication can 
automatically verify CQ data and public keys. The blacklisting of rogue devices and clones, as well as 
key recovery are supported. 

3.3.3 Content Encryption 

This proposal suggests using either the DVB Common Scrambling Algorithm and/or the well known 
D&cfohers. Alternate ciphers can be supported as well. Infrastructure for upgrades is provided. 
With mis proposal’s encrypt-once feature die content is encrypted once-only by die source, and needs 
to be decrypted only at the final play-out device. Between die source and the final destination only die 
decryption key is re-encrypted at each link with die local session keys. 


3.4 PictureTel 

i 

0 

♦ 

The PictureTel proposal covers all three layers of the DPS requested by die DTDG CFP. 

« 

3.4.1 CCI I 

CQ can be exchanged between devices via both embedded and control channel mechanisms. Message 
authentication using a keyed SHA-1 hash is used to ensure the integrity of CQ carried by the control 
channel. Embedded CQ can be exchanged between devices in die dear as its integrity is protected by 
making correct decryption by the content be dependent on it being received unaltered. 

3.4.2 Authentication and Key Exchange 

The AKE layer provides mutual authentication and key exchange, and is based on Public Key v « — 

cryptographic techniques including RSA Digital Signatures and a variant of Diffie-HellmanKey 

Exchange called die Lightweight Public Key Agreement Protocol (liPKAP). Certificate revocation 

capability is provided. Ir addition, an optional key recovery mechanism is supported to enable the '■ 

recovery of device keys c.. demand by the authorities. 

3.4.3 Content Encryption 

A family of stream ciphers are proposed which offer a range of performance and implementation cost 
tradeoffs. NFSM-128 is a derivative of die WAKE-ROFB cipher and NFSM-160W is a derivative of 
die WiderWake cipher. 
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4.1.3 Robustness Characteristics 
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5. Findings 

This section contains the findings of the DTDG. The findings for each of these layers are covered in a 
separate subsection. During the process of the meetings, no one has advocated that a viable DPS 

zasffi jgg 11 * '* m <exmxd Wo ” r - “ 


With regard to die robustness of the standing proposals, there is no conclusion. This is due in part to 
the fact that the DTDG did not have the means to objectively compare the robustness of each of the 
profH»als relative to each other. In the absence of other information, it is reasonable to conclude that 
all of the standing proposals meet die goal of keeping "“honest people honest 4 *. 


5.1 CCI Layer 

^5^ AV data wh *ch has been mapped to a 1394 isochronous channel, including 
MPEG2 TS, digital audio and digital camcorder SD, HD and SDL formats, provides a means of 
including copy control information with the transport data. For the purposes of the DTDG, this form of 
data is referred to as -Embedded CCI\ Because embedded CCI is encrypted and protected as 
embed^d aCtU ** C0 ^ P rotected content, there is no explicit need to address its integrity in its 


The DTDG has considered the need to carry CCI outside of the data field. For purposes of DTDG 
discussions, this type of CCI is referred to as -Exposed CCI*. The purpose of exposed CCI is to 
anticipate devices which temporarily store copy protected content as simple binary data, without 

t j * e *P ec ^ c or type of that data. Such devices have no means of learning foe value 

of th e emb edded CCI and therefore reouire a means of recognize copy control information to ensure 
mm correct operation when presented with copy protected data. Exposed CCI, along with the 
combxnatlon exposed CQ with the encryption layer, have been proposed to address this issue. 

5.2 Encryption Layer 

Secbon 3.1. of this reconunendation contains information provided by the proposers regarding die 

hardware and software implementation complexity and other aspects of the encryption laver described 
in each of the proposals. 7 


When reviewing the hardware implementation complexity, it is important to note die comments found 
at the ©id of section 3.1.1. More specifically, the discussions on this subject in the DTDG meetings 
mow that when calculating die number of gates required to implement a given encryption methodin 
“rJ varc ;. no one can be certain that each proposer was able to use a metric that leads to a number 
which is directly comparable to numbers calculated by other proposers. 

It is also important to note that none of the proposals met the target hardware implementation 

complexity described in the CFP. (CFP Target is lKgate, but the actual range was 15Kgate to 
12Kgate). 


When considering the software implementation complexity for each of the proposals in the encryption 
layer, there is dearly a wide range of performance characteristics and other overheads. While the CFP 
software performance target is difficult to quantify, most interested parties feel that the performance of 
the three most efficient tiphers are capable of decrypting an MPEG TS at DVD rates while requiring no 
more than 3% of the computation for decompression. 



4 The expression "Keep honest people honest" is in common use in the proceedings of the DTDG and its parent 
organization, the CPTWG. r 
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Fin ally, wit h regard to error handling characteristics, given the inf carnation provided by die proposers, 
and consid ering fl>e nature of distribution of AV date to the consumer, noneof&e proposaibhas^ 
unacceptable performance in this area. F 

5.3 Authentication and Key Exchange Layer 

NOa g?T en | 0n ,8etof find “ 1 6s *“» readied within the DTDG. Instead, brief statements are 

provided by the proponents of shared secret and the public key AKE techniques. 

5.3.1 Statement from Shared Secret AKE Proponents 

““ -x 

Robustness: 

When priva te trey has been divulged in the Global glared Secret key base AKE. there is a threat of 
arcumvenbon for all die device. However, Asymmetric. AKE can minimize the threat because it uses a 
combination of service key, license key and node_unique_ID. 

pie Public_key_AKE improves security by refusing to communicate with those devices whose Drivate 
hqra are revoked using the Certificate Revocation List (CRL) which is made available by the ** 
Aammutration Center. Without CRL mechanism, there is no significant difference between 
rubuc_key LAKE and Asynunetric_AKE in terms of the level of difficulty for reverse engineering, etc 

However, specifically in case of CE devices there is no reasonable method to distribute CRL . and no 
mraory available to store ! the CRL which can grow more and more over time. Therefore, fohght of 
ainicultein operation of revocation mechanism, the robustness achieved by the PubUc_key\AKE and 

furthermore, to light of the criteria of "robust enough to prevent casual copying* and five intention 
shared by the industries participating CPTWG to seek for anti<in^vmtion legislation to prevent 
commercial proliferation of circumventing devices, the both AKE meet with the expectation of CPTWG. 

Speed: 

Asymmetric. AKE is superior to Public.key.AKE as to performance in time elapsing. Especially for 
usual processors used in CE devices, the time elapsing may cause inconvenience muleis^pOTtog 


devices. 

Cost: 


The Asymmetries^ is superior to Public.key.AKE as to hardware and software resources required 
tor implementation. The cost for implementation increases in Public.key.AKE more powerful CPU 
more program ROM and work RAM are needed. ” ™ ' 

5.3.2 Statement from Public Key AKE Proponents 

The Content Protection System (CPS) for 1394 is a critical link in the chain of technologies used to 
protect content from being copied as it is distributed to the end user. Accordingly, the 1394 CPS must 
pro^ode robust protection that will not be a weak link between devices that support other content 
protection medianisms including DVD, cable, and direct broadcast satellite. As time and technology 
progress, significant challenges will be encountered while trying to maintain a policy of "keeping honest 
people honest . To address this the 1394 CPS solution must be scaleable and tone lived 

interoperability between present and future devices while maintaining a reasonable balance between 
cost, overhead, and robustness. 
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CFS to address 


it will have the required robustness and scalability to keep "honest people honest" FUDUC *** oasea ' 

5.4 Findings on Issues Related to Implementation in Systems 

Additioi^aU DPS systems require some means of managing the distribution of keys to device 

Ilw DTDG has been operating under the assumption that ftere are and will continue to be a varietv of 

"? ***** ** +* ‘t the point wS ESw£3£ 
pre-recorded media such as DVD, or broadcast such as digital terrestial or rfybluS^iiiS . 

SfhFSSSS^ A d JSt the w I ui f® nent » established in the CFP lor a three layer device to device 

■ F”^ def ? es an end to end (original content source to final dS“ 

{SSSSZ^^J^ 11 ^ ^ n yP t 9 ncg> - Except for the “Encrypt Once" ekaSS o? the 

Mi At!* at fe P^P? 3 ^ 8 «” affected by the details of how content providers protect their 


operating. 
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6. Appendix A: Definition of Terms 

Ciyptogitphy. science and study of secret writing. 

Cipher secret method of writing that transforms plaintext into ciphertext 
Encryption (encipherment, scrambling): process of transforming plaintext into ciphertext 

Decryption (deciphering, descrambling): process of transforming ciphertext into plaintext. 
Cryptanalysis sdence and study of breaking ciphers. 

Cryptology: cryptography + cryptanalysis. 

Cryptographic system (cryptosystem): 

A plaintext message space. 

A ciphertext message space. 

A key space. 

A family of enciphering transformations. 

A family of deciphering transformations. 

dpher end P herin 8 “u* deciphering keys are the same or can be easily determined from 

! trean ? “P 1 * 1 * fPPly * sequence of keys to transform individual data characters (e.e. 
^^^rbrts or bytes.) Examples: RC4 and SEAL Stream ciphers can either be symmetric-key or 8 

^ d fP endent ) transformation to blocks of data. 

Examples. DES, FEAL, IDEA, and RC5. Block afters can either be symmetric-key or public key. 

^ I ?*. tric l tmb . i ic . ) k * y dphen enciphering and deciphering keys differ in such a way that at least 
MoiS^nm. mfc “ lWe to determme fro™ the other. Examples: RSA, ElGamal, and 


i. mi j , M i _ n prcp^rty whereby has not been altered in an unauthorized manner since the time 

it was created, transmitted, or stored by an authorized source. 

Authentication: (1) Message authentication, (2) Entity authentication. 

MeM 2* *“J he “ dcati ! m (d * ta origin authentication): type of authentication whereby a party is 

Entity aotiientication (identification): type of authentication whereby one party is assured of the 
identity of a second party involved in a protocol, and that the second has actually participated. 

Digital signature: data string which associates a message with some originating entity. 

Digital signature scheme: signature generation algorithm + assodated verification al g o rith m, 

Two general classes of digital signature schemes: (1) digital signature schemes with appendix, (2) 
digital signature schemes with message recovery. * y **** x.w 
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